Emerging Trends in Internal Controls

1
Emerging Trends in Internal Controls

• Utilities

2
Discussion Topics

• 404 Lessons Learned Emerging Practices
• 2004 Reporting Results
• Cross-Industry 404 Issues
• 4041 Sustainability Framework and Key
  Considerations
• PCAOB/SEC Guidance (May 16, 2005) and Other
  Considerations
• Utilities 404 Survey Results
• Year 1 Overview
• Year 2 Considerations
• Ongoing Strategy

3
Lessons Learned Emerging Practices 2004
Reporting Results
4
Reporting ResultsAs of May 6, 2005
Source The Ames Research Group (May 6, 2005)
analysis by Ernst Young Center for Business
Knowledge
5
Reporting ResultsInternal Control Issues
Reported by Companies with Ineffective
ControlsAll Companies
Each internal control issue may not be a
material weakness, as several control issues may
have aggregated to a reported material weakness
Percentage of Internal Control Issues by Major
Category All Companies
Source The Ames Research Group (May 6, 2005)
analysis by Ernst Young Center for Business
Knowledge
6
Reporting ResultsInternal Control Issues
Reported by Companies with Ineffective
ControlsUtilities
Each internal control issue may not be a
material weakness, as several control issues may
have aggregated to a reported material weakness
Percentage of Internal Control Issues by Major
Category Utilities
Source The Ames Research Group (May 6, 2005)
analysis by Ernst Young Center for Business
Knowledge
7
Lessons Learned Emerging PracticesCross-Industr
y 404 Issues
8
Cross-Industry 404 Issues

• Financial statement close process (FSCP) and
  disclosure
• Entity-level and anti-fraud controls
• Information technology
• Income taxes
• Service organizations
• Scope and coverage
• Evaluating deficiencies

9
Financial Statement Close Process
DisclosureReporting Results FSCP Internal
Control Issues
Percentage of FSCP Internal Control Issues by Type
10
Financial Statement Close Process
DisclosureYear 2 Considerations

• Test and evaluate FSCP early in the 404 process
• Request IT assistance as needed for automated
  aspects of FSCP
• Appropriate focus on application and IT general
  controls over FSCP
• Automated reconciliation between trial balance
  and the financial statements
• Invest adequate time formalizing controls over
  authorizing, recording, and review of journal
  entries

11
Financial Statement Close Process Disclosure
Ongoing Strategy

• Application of GAAP Accounting Policies
• Invite independent auditor to attend accounting
  policy committee meetings
• Working with the independent auditor throughout
  the FSCP
• Provide working drafts of the 10-K with a list of
  outstanding numbers/disclosures/controls tested
• Disclosure committee
• Management should consider completing a GAAP
  disclosure checklist
• Provide minutes to the independent auditor
• Independent auditor invited to attend disclosure
  committee meetings
• Reassess adequacy of accounting/finance resources
• Hard close one quarter or one month prior to
  year-end
• Move up measurement date of pensions OPEBs 30
  days (an accounting change)

12
Entity-Level Anti-Fraud Controls Ongoing
Strategy

• Effective entity-level controls can provide for
  more efficient strategies in determining
• Coverage (i.e., number of locations, business
  units)
• Individually insignificant but significant in the
  aggregate locations to test
• Extent and timing of update procedures at
  year-end
• Management may consider documenting and
  evaluating more monitoring controls
• Testing more monitoring controls might allow
  management to alter strategy for testing certain
  transaction-level controls to be more efficient
• Automate monitoring of completion of compliance
  and ethics documentation

13
Entity-Level Anti-Fraud Controls Ongoing
Strategy

• Formalize fraud risk assessment
• Consider engaging forensic specialists/advisors
  to assist with evaluating and improving the
  company's anti-fraud programs and controls
• Implement AICPA recommendations for audit
  committees to consider risk of management
  override of controls
• Maintaining appropriate level of skepticism
• Strengthening audit committee's understanding of
  the business
• Brainstorming to identify fraud risks
• Using the company's code of conduct to assess the
  financial reporting culture
• Cultivating a vigorous whistleblower program
• Developing a broad information and feedback
  network
• Refer to Management Override of Internal
  Controls The Achilles' Heel of Fraud
  Prevention, AICPA Antifraud Programs and
  Controls Task Force, January 2005

14
Service OrganizationsHow many service
organizations are included within the scope of
404?
Number of Service OrganizationsIncluded Within
404 Scope
Percentage of Service Organizations for Which
Primary Reliance Placed Upon a SAS 70 Report

• 46 of companies surveyed have a significant
  number of service providers included within the
  scope of 404
• For 32 of service organizations, no reliance was
  placed upon a Service Auditor (SAS 70) report
• Although an important tool, SAS 70s are only one
  of a number of mechanisms and approaches used to
  address 404 requirements

15
Service Organizations Year 1 Overview

• Some Service Auditor Reports (SAS 70s) were not
  available to management in time for documentation
  or testing
• Scope of SAS 70s did not always cover the
  controls management relied on
• Companies need to document their own internal
  controls (i.e., user controls), but in some
  instances did not adequately address those user
  controls

16
Service Organizations Ongoing Strategy

• Challenge the third-party service provider
  regarding the scope and timing of the SAS 70
  report and other information the company has
  provided
• Some best-in-class outsourcers have elected to
  issue semi-annual SAS 70 reports covering a
  rolling 12 months (e.g., SAS 70 issued for the
  period covering May 31 and November 30)
• Companies can request the service organization to
  provide more timely and thorough information
• Communications with third-party providers will
  have implications on 404/302 processes

17
Scope and Coverage What location selection
criteria were used for initial compliance?
Location Selection
18
Scope and CoverageHow many locations were
included within the scope of the Section 404
documentation and testing at the transaction
level in Year 1?
Number of Locations - Utilities
19
Scope and Coverage How does the company plan to
address individually insignificant locations,
operations, or subsidiaries that were out of
scope for the initial compliance year?

Year 2 Approach
20
Scope and Coverage Year 2 Considerations

• Management should focus on a risk-based approach
  for allocating effort of testing controls
• Management should take into consideration
• Appropriate level of testing at shared service
  locations
• Sampling strategies across multiple locations
• Management may document and evaluate more
  monitoring controls
• Testing these controls might provide more
  flexibility for testing transaction-level
  controls at individual locations
• Effective entity-level controls can affect the
  independent auditor's strategy for determining
  how many individually insignificant but
  significant in the aggregate locations to
  include in scope
• Expanded testing of entity-level controls might
  provide more flexibility in the nature, timing,
  and extent of transaction-level testing

21
Evaluating Deficiencies Year 1 Overview

• Most companies underestimated the number of
  control deficiencies
• Sensitive/higher risk areas were often tested
  later in the year and resulted in more
  deficiencies requiring evaluation at year-end
• Inexperience with evaluating the results of
  testing sometimes resulted in identifying
  deficiencies late in the year
• Significant judgment was required to evaluate
  some deficiencies

22
Evaluating Deficiencies Year 2 Considerations

• Timely evaluation and testing of areas subject to
  higher risk
• Remediate early enough to avoid year-end material
  weakness
• Address unremediated deficiencies from Year 1
• Consider potential misstatements to both annual
  and interim financial statements when evaluating
  deficiencies

23
Evaluating Deficiencies Ongoing Strategy

• Prioritize the timing and resources dedicated to
  the testing of controls over higher risk areas
  and pervasive controls that have a greater
  potential for material weaknesses
• Timely coordination between independent auditor
  and company on deficiencies (e.g., management and
  the independent auditor meet bi-monthly to
  evaluate deficiencies)
• Monitoring and managing the remediation process
• PMO identifies gaps and prioritizes remediation
  activities with a focus on cost to remediate,
  materiality considerations, compensating
  controls, and IT efficiencies
• Process owners manage remediation
• Internal audit monitors remediation activities
  and performs retesting
• Process management team provides overall support
  to remediation efforts
• Protocols established to report on a regular
  basis to the audit committee on remediation
  progress

24
404 Sustainability Framework
Test and Monitor Controls
Report
Update Documentation and Evaluate Control Design
Implement Monitoring Infrastructure
Approach
Sustainability Phases
Managements Year End Report on Internal Control
Evaluate Overall Effectiveness, Identify Matters
for Improvement, and Establish Monitoring
Systems
Update Documentation and Evaluate Internal
Control Design at the Process, Transaction, or
Application Level
Evaluate Internal Control at the Entity Level
Develop or Supplement Internal Control Compliance
Function
Maintain Internal Control Framework

• Establish clear ownership for ongoing compliance
  and monitoring
• Leverage initial implementation results to
  realize value

• Establish or formalize programs to support
  updating entity level control assessments,
  including processes for risk assessment,
  evaluation, and remediation of deficiencies

• Consider any updates to COSO or other internal
  control guidance
• Integrate with other risk management processes

• Establish control documentation ownership and
  accountability, including process to ensure
  comprehensive and timely updates.
• Process must address changes in overall business,
  process, people and technology

• Formalize process for developing and executing
  test plans and standards for documenting and
  reporting test results.
• Formalize issue tracking, gap assessment and gap
  remediation processes

• Formalize communications and ongoing process for
  management review and signoff

• Technology enablers
• Continuous control monitoring

• Organizational alignment accountability
• Efficient, sustainable infrastructure

Continuous process of compliance
Continuous auditors examination
25
SOX 404Moving from Project to Process
Planning Documentation Testing Remediation
Compliance Sustainability
Cost Containment
Value Generation
26
Framework for 404 Rationalization Optimization
All Controls identified within 404-documentation
Controls over Risks with LOW rating
Insignificant Controls
Controls over inconsequential GL codes
entities
Exclude from Testing
Non 404 Controls
Controls over Non FR related Risks
Compensatory Controls
Complimentary Controls
Duplicate Controls
Redundant Controls
Eliminate


Rationalized Key Controls Set
Optimize Testing
Optimize number of tests and sample sizes
Optimize Improve Controls
27
PCAOB/SEC Guidance (May 16, 2005) and Other
Considerations
28
PCAOB/SEC Guidance and Other ConsiderationsOveral
l Scope/Risk-Based Approach
29
PCAOB/SEC Guidance and Other ConsiderationsTestin
g Strategy
30
PCAOB/SEC Guidance and Other ConsiderationsEntity
-Level Controls
31
PCAOB/SEC Guidance and Other ConsiderationsMonito
ring Activities
32
PCAOB/SEC Guidance and Other ConsiderationsCommun
ication with Independent Auditors